Identity & Access Management (IAM)

From PiRho Knowledgebase
Revision as of 06:37, 6 July 2026 by Dex (talk | contribs) (Created page with "'''Summary:''' Identity & Access Management (IAM) is the collection of policies, processes, technologies, and controls used to manage digital identities and regulate access to systems, applications, data, and services. Effective IAM ensures that the right people have the right access to the right resources at the right time, while reducing security risks and supporting compliance requirements. == Context == Modern organisations depend upon hundreds, sometimes thousands...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Summary: Identity & Access Management (IAM) is the collection of policies, processes, technologies, and controls used to manage digital identities and regulate access to systems, applications, data, and services. Effective IAM ensures that the right people have the right access to the right resources at the right time, while reducing security risks and supporting compliance requirements.

Context

Modern organisations depend upon hundreds, sometimes thousands, of interconnected systems. Employees, contractors, customers, partners, applications, services, and devices all require some form of digital identity.

Without a structured approach to managing identities and access permissions, organisations quickly face security challenges, operational inefficiencies, and compliance risks.

IAM provides a framework for:

  • Identifying users and systems
  • Authenticating identities
  • Authorising access
  • Managing permissions
  • Auditing activity
  • Enforcing security policies

While IAM is often associated with user logins, it extends far beyond authentication and forms a critical component of modern cybersecurity architecture.

Common Misconceptions

  • IAM is not simply Active Directory.
  • IAM is not just password management.
  • IAM is not solely a security concern.
  • IAM is both a business process and a technical implementation.

Many access-related incidents result from poor governance rather than technical failures.

Core Concepts

Identity

An identity represents a person, service, application, device, or process within a system.

Examples include:

  • Employee accounts
  • Service accounts
  • Application identities
  • Customer identities
  • Managed devices

An identity should uniquely represent a single entity.

Authentication

Authentication answers the question:

"Who are you?"

Common authentication methods include:

  • Username and password
  • Multi-Factor Authentication (MFA)
  • Smart cards
  • Certificates
  • Biometrics
  • Security keys

Authentication establishes confidence in an identity claim.

Authorisation

Authorisation answers the question:

"What are you allowed to do?"

After authentication succeeds, systems evaluate permissions, roles, policies, and access rules before granting access to resources.

Examples include:

  • Read access
  • Modify access
  • Administrative privileges
  • Application-specific permissions

Accounting and Auditing

Authentication and authorisation are only part of the picture.

Organisations must also record:

  • Login activity
  • Permission changes
  • Administrative actions
  • Resource access events

These records support security investigations, compliance audits, and operational troubleshooting.

Identity Lifecycle Management

IAM is fundamentally about managing identities throughout their lifecycle.

Joiner

When a new employee joins:

  • Identity is created
  • Accounts are provisioned
  • Access is assigned
  • Security policies are applied

Mover

When responsibilities change:

  • Permissions are reviewed
  • New roles are assigned
  • Old permissions are removed

Leaver

When an individual leaves:

  • Accounts are disabled
  • Authentication methods are revoked
  • Access permissions are removed
  • Audit records are retained

Failure to properly manage the Joiner-Mover-Leaver process is one of the most common causes of excessive permissions and unauthorised access.

Access Control Models

Role Based Access Control (RBAC)

Users are assigned roles.

Example:

  • Helpdesk Operator
  • HR Manager
  • Finance Administrator

Permissions are granted to roles rather than individual users.

Benefits include:

  • Simplified administration
  • Consistency
  • Easier auditing

Attribute Based Access Control (ABAC)

Access decisions are based upon attributes.

Examples:

  • Department
  • Location
  • Device compliance state
  • Time of day
  • Security clearance

ABAC enables highly flexible policy-driven access decisions.

Policy-Based Access Control

Modern cloud platforms frequently use policy engines to evaluate access requests dynamically.

Examples include:

  • Conditional Access
  • Zero Trust Policies
  • Risk-Based Access Controls

Authentication Technologies

Multi-Factor Authentication (MFA)

MFA combines multiple forms of verification.

Typical factors include:

  • Something you know (password)
  • Something you have (token)
  • Something you are (biometric)

Compromised credentials remain one of the most common attack vectors, making MFA a foundational security control.

Single Sign-On (SSO)

SSO allows users to authenticate once and access multiple systems.

Benefits include:

  • Improved user experience
  • Reduced password fatigue
  • Centralised security control

Federation

Federation enables organisations to trust external identity providers.

Examples include:

  • Microsoft Entra ID
  • Active Directory Federation Services (ADFS)
  • OAuth Providers
  • OpenID Connect Providers

Users authenticate with their home identity provider rather than maintaining separate credentials in every application.

Practical Application

A typical modern enterprise IAM platform may provide:

  • Directory services
  • Single Sign-On
  • Multi-Factor Authentication
  • Self-Service Password Reset
  • Conditional Access
  • Identity Governance
  • Privileged Access Management
  • Audit Reporting

A common architecture might look like:

                    +------------------+
                    | Identity Source  |
                    |  HR System       |
                    +---------+--------+
                              |
                              v
                    +------------------+
                    | IAM Platform     |
                    | Identity Store   |
                    +---------+--------+
                              |
          +-------------------+-------------------+
          |                   |                   |
          v                   v                   v

   +-------------+    +-------------+    +-------------+
   | Microsoft   |    | SaaS Apps   |    | On-Premise  |
   | 365         |    | CRM, ERP    |    | Systems     |
   +-------------+    +-------------+    +-------------+

Identity Governance

Identity Governance focuses on ensuring access remains appropriate over time.

Typical controls include:

  • Access reviews
  • Segregation of duties
  • Approval workflows
  • Periodic recertification
  • Exception management

Governance prevents permission accumulation and reduces insider risk.

Privileged Access Management (PAM)

Administrative accounts represent high-value targets.

PAM solutions help organisations:

  • Separate administrative and user accounts
  • Implement just-in-time access
  • Record privileged sessions
  • Protect sensitive credentials
  • Reduce standing privilege

Modern security strategies increasingly assume that privileged access should be temporary rather than permanent.

Common Pitfalls

Permission Creep

Users gradually accumulate permissions over time.

This often occurs when role changes are not accompanied by access reviews.

Shared Accounts

Shared accounts reduce accountability and complicate auditing.

Where possible, every action should be traceable to a unique identity.

Service Account Neglect

Service accounts frequently:

  • Use static passwords
  • Avoid MFA
  • Remain undocumented

These accounts often become overlooked security risks.

Excessive Administrator Access

Granting broad administrative permissions for convenience frequently increases the impact of compromise.

Design & Architecture Considerations

When designing an IAM solution, consider:

Scalability

Can the solution support organisational growth?

Security

Does it support:

  • MFA
  • Conditional Access
  • Strong authentication
  • Risk-based controls

Maintainability

Can administrators easily:

  • Onboard users
  • Remove access
  • Audit permissions
  • Automate processes

Integration

Can identities be integrated across:

  • Cloud platforms
  • On-premise systems
  • Third-party applications
  • APIs and services

Troubleshooting & Diagnostics

When access issues occur, investigate:

Identity Issues

  • Does the account exist?
  • Is it enabled?
  • Is it synchronised correctly?

Authentication Issues

  • Password problems
  • MFA failures
  • Certificate errors
  • Token expiration

Authorisation Issues

  • Missing role assignments
  • Group membership problems
  • Conditional access restrictions
  • Policy conflicts

Audit Logs

Review:

  • Authentication logs
  • Access logs
  • Security alerts
  • Provisioning events

Audit trails often reveal the root cause faster than troubleshooting individual systems.

Design Philosophy

Strong IAM systems should follow a simple principle:

Trust identities only after verification, grant access only when required, and continuously validate that access remains appropriate.

This philosophy aligns closely with modern Zero Trust security models, where no user, device, application, or network location is automatically trusted.

Related Topics

References

  • NIST Digital Identity Guidelines
  • NIST Zero Trust Architecture
  • Microsoft Entra Documentation
  • OAuth 2.0 Specifications
  • OpenID Connect Specifications
  • ISO 27001
  • CIS Controls